AthenaGo

AthenaGo remote access trojan (RAT) uses a never-before-seen capability utilizing Tor proxies to redirect traffic from infected hosts to servers hidden on the Tor network. It is written in the “Go” programming language and deployed against Microsoft Windows machines. The “Go” language includes more details in its binaries, making it easier for researchers to detect the malware’s capabilities. According to Cisco, AthenaGo is distributed via spam emails and is targeting users in Portugal as of February 2017. The emails contain malicious Microsoft Word files purportedly from Portugal’s main postal service. Opening the file and enabling macros allows the script to execute, downloading and installing the trojan. It then follows a series of procedures by reporting to its C2 server and later requests commands to execute on the infected device. It is likely that its author and distributor of AthenaGo is the same person, as the same username is used for the binary and Word document. AthenaGo supports the following commands:

  • ListDir - Returns a directory listing from the infected system.
  • ListProcesses - Returns a list of processes running on the infected system.
  • KillProcess - Causes the malware to execute the taskkill command against a targeted process running on the infected system.
  • DownloadFile - Causes the malware to download a file and save it into a target location specified in the command parameters.
  • DLRUN - Causes the malware to download a file, save it to %TEMP% and execute the downloaded file.
  • RunCMD - Uses AthenaGo's operating system/execute package to execute system commands on the infected system.

AthenaGo communicates with its C2 server using the tor2web.org service, a proxy system that redirects traffic from the public internet to the Tor network without requiring users to download the Tor package. Using Tor hides the C2 servers, making them harder to identify.

Reporting

  • February 2017: AthenaGo RAT Uses Tor2Web Proxy System to Hide C&C Server (BleepingComputer)

Technical Details

  • Cisco’s Talos Group provides technical details on the AthenaGo RAT, here.
One example of the AthenaGo trojan. Image Source: Cisco Talos

One example of the AthenaGo trojan. Image Source: Cisco Talos